ramnit | 9603615f571596615b96c08f68cb08d7ad5e602f5f2d56aef683c3b6ea8cc02f

Analysis

max time kernel
122s
max time network
139s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-02-2025 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe
Size

1.9MB
MD5

f63713e434c774d79ea05c743dbbc986
SHA1

9aa80ff8294bc0ba6faae20b4812c78c429ea2c7
SHA256

9603615f571596615b96c08f68cb08d7ad5e602f5f2d56aef683c3b6ea8cc02f
SHA512

e1335bd59cb896776b2e6f5f31d16127d112a98d98a2a843c0b8441e41347ff0ebf125d6856de0c7a550023e4dbd0218be33663c0f602df2069f1033e0396aac
SSDEEP

49152:gPSdG9Ws3y5F1p0xrxOlU9E+mwqnaOW1PEWxKih0EtUKOMifzKJofjvy7mpmm9mu:uSuWs3y5zp0xrMU9EmqnaOW1PEWxKOfI

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 6 IoCs

pid	Process
2524	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
2440	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
2836	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
2908	DesktopLayer.exe
2696	DesktopLayerSrv.exe
1712	DesktopLayerSrvSrv.exe

Loads dropped DLL 6 IoCs

pid	Process
1176	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe
2524	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
2440	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
2524	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
2908	DesktopLayer.exe
2696	DesktopLayerSrv.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001227e-2.dat	upx
behavioral1/memory/2524-11-0x00000000003A0000-0x00000000003DD000-memory.dmp	upx
behavioral1/memory/2524-10-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/files/0x0008000000016d0c-19.dat	upx
behavioral1/memory/2440-24-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2524-23-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/files/0x0009000000018b05-25.dat	upx
behavioral1/memory/1712-71-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1712-67-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2696-64-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2696-57-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2908-55-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2836-51-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2836-42-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2908-41-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2440-40-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2440-37-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px366C.tmp	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px36AA.tmp	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px36E8.tmp	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3775.tmp	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3840.tmp	DesktopLayerSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7CB75201-EDAE-11EF-AF7A-C23FE47451C3} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1176	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe
1176	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe
2440	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
2440	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
2440	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
2440	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
2836	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
2908	DesktopLayer.exe
2836	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
2908	DesktopLayer.exe
2836	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
2908	DesktopLayer.exe
2836	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
2908	DesktopLayer.exe
2696	DesktopLayerSrv.exe
2696	DesktopLayerSrv.exe
2696	DesktopLayerSrv.exe
2696	DesktopLayerSrv.exe
1712	DesktopLayerSrvSrv.exe
1712	DesktopLayerSrvSrv.exe
1712	DesktopLayerSrvSrv.exe
1712	DesktopLayerSrvSrv.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2036	iexplore.exe
2224	iexplore.exe
2900	iexplore.exe
2724	iexplore.exe
2744	iexplore.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
1176	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe
2224	iexplore.exe
2224	iexplore.exe
2036	iexplore.exe
2036	iexplore.exe
2900	iexplore.exe
2900	iexplore.exe
2724	iexplore.exe
2744	iexplore.exe
2724	iexplore.exe
2744	iexplore.exe
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
872	IEXPLORE.EXE
872	IEXPLORE.EXE
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
652	IEXPLORE.EXE
652	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2524	1176	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe	29
PID 1176 wrote to memory of 2524	1176	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe	29
PID 1176 wrote to memory of 2524	1176	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe	29
PID 1176 wrote to memory of 2524	1176	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe	29
PID 2524 wrote to memory of 2440	2524	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe	30
PID 2524 wrote to memory of 2440	2524	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe	30
PID 2524 wrote to memory of 2440	2524	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe	30
PID 2524 wrote to memory of 2440	2524	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe	30
PID 2440 wrote to memory of 2836	2440	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe	31
PID 2440 wrote to memory of 2836	2440	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe	31
PID 2440 wrote to memory of 2836	2440	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe	31
PID 2440 wrote to memory of 2836	2440	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe	31
PID 2440 wrote to memory of 2900	2440	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe	33
PID 2440 wrote to memory of 2900	2440	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe	33
PID 2440 wrote to memory of 2900	2440	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe	33
PID 2440 wrote to memory of 2900	2440	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe	33
PID 2524 wrote to memory of 2908	2524	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe	32
PID 2524 wrote to memory of 2908	2524	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe	32
PID 2524 wrote to memory of 2908	2524	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe	32
PID 2524 wrote to memory of 2908	2524	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe	32
PID 2908 wrote to memory of 2696	2908	DesktopLayer.exe	34
PID 2908 wrote to memory of 2696	2908	DesktopLayer.exe	34
PID 2908 wrote to memory of 2696	2908	DesktopLayer.exe	34
PID 2908 wrote to memory of 2696	2908	DesktopLayer.exe	34
PID 2836 wrote to memory of 2724	2836	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe	35
PID 2836 wrote to memory of 2724	2836	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe	35
PID 2836 wrote to memory of 2724	2836	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe	35
PID 2836 wrote to memory of 2724	2836	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe	35
PID 2908 wrote to memory of 2224	2908	DesktopLayer.exe	36
PID 2908 wrote to memory of 2224	2908	DesktopLayer.exe	36
PID 2908 wrote to memory of 2224	2908	DesktopLayer.exe	36
PID 2908 wrote to memory of 2224	2908	DesktopLayer.exe	36
PID 2696 wrote to memory of 1712	2696	DesktopLayerSrv.exe	37
PID 2696 wrote to memory of 1712	2696	DesktopLayerSrv.exe	37
PID 2696 wrote to memory of 1712	2696	DesktopLayerSrv.exe	37
PID 2696 wrote to memory of 1712	2696	DesktopLayerSrv.exe	37
PID 2696 wrote to memory of 2036	2696	DesktopLayerSrv.exe	38
PID 2696 wrote to memory of 2036	2696	DesktopLayerSrv.exe	38
PID 2696 wrote to memory of 2036	2696	DesktopLayerSrv.exe	38
PID 2696 wrote to memory of 2036	2696	DesktopLayerSrv.exe	38
PID 1712 wrote to memory of 2744	1712	DesktopLayerSrvSrv.exe	39
PID 1712 wrote to memory of 2744	1712	DesktopLayerSrvSrv.exe	39
PID 1712 wrote to memory of 2744	1712	DesktopLayerSrvSrv.exe	39
PID 1712 wrote to memory of 2744	1712	DesktopLayerSrvSrv.exe	39
PID 2224 wrote to memory of 872	2224	iexplore.exe	40
PID 2224 wrote to memory of 872	2224	iexplore.exe	40
PID 2224 wrote to memory of 872	2224	iexplore.exe	40
PID 2224 wrote to memory of 872	2224	iexplore.exe	40
PID 2036 wrote to memory of 1492	2036	iexplore.exe	41
PID 2036 wrote to memory of 1492	2036	iexplore.exe	41
PID 2036 wrote to memory of 1492	2036	iexplore.exe	41
PID 2036 wrote to memory of 1492	2036	iexplore.exe	41
PID 2900 wrote to memory of 2984	2900	iexplore.exe	42
PID 2900 wrote to memory of 2984	2900	iexplore.exe	42
PID 2900 wrote to memory of 2984	2900	iexplore.exe	42
PID 2900 wrote to memory of 2984	2900	iexplore.exe	42
PID 2724 wrote to memory of 652	2724	iexplore.exe	43
PID 2724 wrote to memory of 652	2724	iexplore.exe	43
PID 2724 wrote to memory of 652	2724	iexplore.exe	43
PID 2724 wrote to memory of 652	2724	iexplore.exe	43
PID 2744 wrote to memory of 1816	2744	iexplore.exe	44
PID 2744 wrote to memory of 1816	2744	iexplore.exe	44
PID 2744 wrote to memory of 1816	2744	iexplore.exe	44
PID 2744 wrote to memory of 1816	2744	iexplore.exe	44

C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
  C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
    C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
      C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:652
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2984
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1816
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1492
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2224 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
300a9ee53318ad39f4ab57d54884ea27

SHA1
f879307ba557a6d2c98a437644b4092e2c09ddb8

SHA256
3b99224fb2fa55a1fd7db947842b6b4fba5f5b561f15adfc556a93af90c0129a

SHA512
e4d91c8061585b0885474e2986a676e66932ff21e3e552600e11043ae53942435c88addfc1d93a6a98aa1df24ce9be0ccf862f35c6ed760cfaa9106429f8ab6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e68f40b146117d5f7916ab384f63b367

SHA1
73c794b67603b146ed0076134f2e4966ac05cc4d

SHA256
c07914d633cf15324cf089c96702fb987573d6ba5e7176585041f5ecbc07a385

SHA512
50e4f41cff2201e028543a8c94b714bd2ddf7d544bcc6153fa69705335027df5f47d18d285d0e1a9e47173e987a3b2cd4f1d075b17676b17571627630701076d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f894ae30b3325831e21c28ecbb42f7d

SHA1
2773dbc09b56b2148199f747e2c600785d6efc3d

SHA256
8ed1f70e6befc6be726c724e0f5ccfe68b36c04aeaddd6bfbc28fc1bcc63ff05

SHA512
39fd0d91c6c1e382a272cdef25b67c235dffb983089ee5a352860f4d28ce8d4ccb96b7fa2c73f64a7f959e3c5ef085c8c4e410a45519b4b6de4775c7b9680622

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f09099bc65b1753727978472f3124617

SHA1
52e64275e0aede8fb73b4557785bb6eda8d62152

SHA256
ff6e82b91bed7abe6183f44dc4fede2fdc8854b2a3241df4bc7f8143647d81ce

SHA512
33fe52721af8f4d1ef9ed5d3e8971264edb3299d14b2a53ee20423553645847b37576f52379f1833ec8386beedb9ac218069b65bd36846a83ee2dc062886ba38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28c182b82da47a036550d63d50f4f0a9

SHA1
71436d4fe0bca1878ad1965128bdae552f6f7096

SHA256
31c854128621e58b44095c6c09b599c50158020bb5df2189a9bc461aff2b1770

SHA512
cdcaad0d596702a0369ff8d10df80f792cd44b0ac2e1c956a75c26371dbd1eccc2a3ca625f94a4e4e88ab948ac6facf549e76a8d71536dae4493e4a7caf2165a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6a9f940eabad0eb5f23ea463814edf3

SHA1
44ded6b19857169ee55de6b771de0f9a58b5633c

SHA256
aee0ed80f78291520824c1c48dc22cb246b0e1667621c0c0bd9daa5fba393df2

SHA512
71ea53412fef9e091eaf250206a3cd9e226de1cb24d274d1d14ee950ffd043d246f8a9fc4c8517fd867d71b640f82c9ebd5c7c951eeff31afa1ccee057b1dc76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3e6f4bc9d0a9c0795fc29eec91ed433

SHA1
e36511d11c6d24940c295b4fccc4b1611a06cd0d

SHA256
5e21ca6d87bcb845f51fff8cfadc7fbdb593095244f1cbb1b2a6ac04855e8903

SHA512
007534a59c6b6ed1d0e7db93df7b4b1cee57e0abdf0fd01606481fa77872457a7ca716979644f0802c5d24e3e81cef4425bc159c286869222623e93085b541ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37c70fc0607305f861d3168156e3112d

SHA1
9e5e5d8ce95b89e7bce5c2e7229f0b8d471a17c6

SHA256
99b4fd813cc544e1a5b2bbf2d5143eecf629f7ca873841aa7423938fb5752222

SHA512
28b992813b92c1026f1993223c96da9344039a522f899077ec6337245f9434e3fdd346a1edd1db0e2414e9c039bc1c9c068cdc64d7f9f2e5b55cb1395fd70125

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eff8e74b37e90bd8f00d6470cf60dca5

SHA1
01e6276f7db6a36bc8d74d7b1c4d3717b2afedba

SHA256
84d1cb7457427c6c50aef85e024571ad9ba0b1f7b6364b95fad7d6107b56cb0d

SHA512
4893dc0cc3b86c6deb9288c66329a9d7cbcd4271796adbc03fc607c4a6a4c254d75ae91f170e84dae71c7290902f7fd971c669b25961088f645c7a38832e6748

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20e671e382cb823b62a437d0be998e13

SHA1
7f834714b3c579e41c3ebc4e3f3b042aa0b5cf7b

SHA256
3e5c07cc4123325f289c84d95b7e383b00e5dde72d392d7d5b126748dcc38943

SHA512
80eda5defed8e4ebc1ba5cf929498fa111071f21772ffbe6223123717768356281426a307f2120d0d67f1de77452bd0cf45ffa035d3c9fa1524ecc94093c1f46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20e3d4d690d80a965fd5e14ded46b302

SHA1
04317d3344cab082cdc320b65d8415f5c8a6a36b

SHA256
50b5c8205c4bdf8dd0af01858df3de1fac2cdb5bbcb82e0fafd6e10d5710bc4b

SHA512
3ee4adfbe376e65702f0dffd78f06544058e2af887509e9dd3608e61b300b74b96d3a6ae2cc22fb9199e358c4a91cd1fde6929e6c18add30854d967eab201457

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ba35eb3e8bf5c0f0c8c75bcf8187b0b

SHA1
ecc59b17d0e20eb8b3a7d8caa44779fb825e6933

SHA256
3e95702da61f1051726aaab646f13039f99877cd6dbeb816a116cdd1d7f2627b

SHA512
b7d2d30c8ccab75992449b88b01e5b747b99deebb573442ab19a84d2690aaa2d82ecf7f94e8f9f6683c9379b93f9536758df0e6e60e9eb481b200f8e565458ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
950f2d068ca81571158c65879d45e50c

SHA1
826298ceb04216f6b8774528168ebc63bbc26585

SHA256
677231461bd0fccca955be883823d65d9424e9d1de41e0d0a21264ecf91864a2

SHA512
69fd4bde1f38dd22962b30aadfeebb7367e2dbdeadaa67ea5d130c34d21debcea32b479b90d18015a66632ebda4f7b6efc3934c341621c29a2d3ebaf2548b3f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2383a4844ec5c1822ff9d0741070caa5

SHA1
31c96fe166ced75a86f78aefb4817e25ce52d768

SHA256
1c7bc481aaae6c44192998f7d9c12a2d0491125ea483155c0712323f4cde9b4d

SHA512
895ff9c396edf3182abb011bdc6cc59a3691a7dac618311faf771efbc4a1ef4fa3a42a24e5f0ba90a9710d61733c0cde342db06df49c7bebb9f5f22c61839765

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15ac597e4df52e7be35a337fc0dd38d9

SHA1
b53384377efd9acd8955ec73551896c1d5f88c2e

SHA256
5661eb65151cdda6c2cbb7f924fc85d155f8c671faaf8a8d8ab815a61759fb09

SHA512
194d4c60e784f89ec5465ead6fed926550d9d7f9f1dc5e9d236b274950995062596cb1ace37b8bfb3f05d9d785c39488ce98b980b461ecf55b884cc68d5cfbae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
446395d8c99b1f3bef51864d28bcb81a

SHA1
f7930cac3b294c2323093b1b54fb7502e840b7d4

SHA256
24deff1fd0dc07bfe46290fce31bac23ce8492bdbbd8cee14525950d8a50d1ff

SHA512
666540955b948fa4c218794162d21bd8bfdff3440adba758ae0c122b458eb125ff7061b891c17b44a631b5d7ec56a898f87738d1c9d2a04402714525a3c855db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b59c6ab3780d754def0b37067e9985d

SHA1
408576b4ae8ae6f6f10fa453a666dd28c07d0bec

SHA256
40c76a5d2fbababe277bf951831c1634725b7626bfd1be6aa47066d8988866db

SHA512
16f83b9417ce9a88116281247279514543ba4b01886a3ca36409210fc862132d81553ca3ccb247de5d852ee9983714b1f2d61d24805013d8fd3e9b65ec9a2304

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2cfc6b461e0c65cc3e19477e3236a043

SHA1
01a59965bab1284217cae1c41fcf93588d37df29

SHA256
6e6eb2ad80fe3a85499b1115a1f4b0def8d29caf1805925ff13fb8424444ad87

SHA512
b9d9a2caf401b0b3028d66b47e71476f069b42044189414eec181d7055ce79a0548743d36efe32f6ca0f89c0508fdbb7c9c43e1ce361e1d3f750e712d1381280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7C855521-EDAE-11EF-AF7A-C23FE47451C3}.dat

Filesize
5KB

MD5
361ef6f9a77c8177ad3a93b2e1181a80

SHA1
b17fdea60184157e149c6740548d0d57115bc699

SHA256
3ab251c163daac06dff4a855bcc2b1fe6db9ed9a01a71adfd009d0e8186e296f

SHA512
6f5d56be9b2781c09c8946ce951943c3763e1a608f2333676780fa316771ade9b9523c42fce3fef53879763da9085551dbd27bcbad240658273c8ff72da271cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7C8A17E1-EDAE-11EF-AF7A-C23FE47451C3}.dat

Filesize
3KB

MD5
3f756dac1fe4be6ddbcdb832f52c56ac

SHA1
bd5331b0bfea8d96c9f6a38acc53ab72c2971684

SHA256
8e728ef67cfc24cec5368d31461bcb9d60f4be9b14eca513a6ff0fa11eee2f5f

SHA512
0b824f4595de3de53edb7bf9a30b08ed85488ea481cbf4f2f3e3208f44517bcbaa02fa2be2d0047bf0810bcb8d0c3de96abfcc625f8e3f8e198c5df8435d4b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7C986021-EDAE-11EF-AF7A-C23FE47451C3}.dat

Filesize
5KB

MD5
8cc87558386a5e3b9715346b3616e46c

SHA1
94cfd240d11541e57c92f63a35f981faa4d3badf

SHA256
ddb75217a6bf9b48188a7a55fe2c5c39d7401467012efba19f65003980bd57e5

SHA512
a506b44a6892b41bff871135d07a02cd04ab0aea2694617592ab21e5660edab77c64340becbde563dd31de3e66460cb79ca667c8a25ddcc86d7bf954a1bc49b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7CB02DE1-EDAE-11EF-AF7A-C23FE47451C3}.dat

Filesize
3KB

MD5
298a465ad7b1bff90e0d8c897e52c7de

SHA1
72cbc00d9f3858a71325e2eeb6c6a0256df4a2a4

SHA256
bfe40f71a7515f487aba6d73645cf12d40be0443eabed91f9ac3e9bf32f7d363

SHA512
259b633d3aac5578ad3c0f2d6cfeedc855357c263e9f7cf019d240344befd371fcd79a6ec6973e5fb879a86bbd71a82aea26795c7ea6983fd7c7b008e8d77816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7CB02DE1-EDAE-11EF-AF7A-C23FE47451C3}.dat

Filesize
5KB

MD5
a71549d37b388d4f09a3f4b273dbe8fd

SHA1
fcbfdb14a9d6d22fc7b6c222905d85568d8556ca

SHA256
cd0f96f9f7a0805afb00d1a7dab07cd102dc895aa26ff6fdadf4cc9043af2f4a

SHA512
3394ef9db416e58a44684f26c8030b596177f21d029842db04fdd2aaa27170160983691f9555d2e00eafa0f6afc41459488660f20fa4b70bab816f3b722d94be

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe

Filesize
111KB

MD5
0807f983542add1cd3540a715835595e

SHA1
f7e1bca5b50ab319e5bfc070a3648d2facb940eb

SHA256
8b492fd5118993f8adb4ddbba5371a827fa96ff69699fe82286ad3a92758bf5f

SHA512
27161f765072f32977bfae3737a804492251514bd256336ed9eee985a760f11c8c778bfb45760bdbf94cb69ed49fa6831f2700548a290412a577fbc70a5b7d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab51BB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar527A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe

Filesize
168KB

MD5
b6475f6ca119d32ef8cabb757b3be1db

SHA1
0bb7f7a4ba87a089b0be1be9210fef550b0b2e2e

SHA256
644e4758783803f7a4f9e23d0aec52607f2aa04f2377e7ae80fbca8d48a03d31

SHA512
f272921a7bbba0f2edb8e7262a203c009b159aa87fa32bc773176151ca3a1d0b40c2a052af08e223ec1f21778cc2fd2cbba831fb5770a2fa30998c995db925f2

Download Submit
\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1176-56-0x0000000000200000-0x00000000003ED000-memory.dmp

Filesize
1.9MB

Download
memory/1176-0-0x0000000000200000-0x00000000003ED000-memory.dmp

Filesize
1.9MB

Download
memory/1176-5-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1176-66-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1712-71-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1712-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2440-77-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2440-37-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2440-28-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/2440-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2440-24-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2440-33-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2524-23-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2524-22-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2524-10-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2524-11-0x00000000003A0000-0x00000000003DD000-memory.dmp

Filesize
244KB

Download
memory/2696-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2696-57-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2836-42-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2836-51-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2908-41-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2908-55-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download